also @ TechSpot: Windows 8 Release Preview leaked, Microsoft may raise OEM prices

TechSpot

[Inactive] I did the 5 steps virus removal and now my desktop icons are missing..Help plz

Discussion in 'Virus and Malware Removal' started by Donovantriipp, Jan 18, 2012.

Thread Status:
Not open for further replies.

  1. Donovantriipp Newcomer, in training

    Malwarebytes Anti-Malware (Trial) 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.18.02

    Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
    Internet Explorer 9.0.8112.16421
    Chata ****up :: TOSHIBA [administrator]

    Protection: Disabled

    1/18/2012 1:24:38 AM
    mbam-log-2012-01-18 (01-24-38).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 179616
    Time elapsed: 2 minute(s), 57 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 2
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
    HKCR\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

    Registry Values Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|gfUomFNvRQL.exe (Trojan.FakeAV) -> Data: C:\ProgramData\gfUomFNvRQL.exe -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|winupd (Trojan.Agent) -> Data: C:\Users\CHATAF~1\AppData\Local\Temp:winupd.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 8
    C:\ProgramData\gfUomFNvRQL.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
    C:\Users\Chata ****up\AppData\Local\Temp\p9pl6600832251934175411.tmp (Exploit.Drop.3P) -> Quarantined and deleted successfully.
    C:\Users\Chata ****up\AppData\Local\Temp\uFJTPry9GjuugC.exe.tmp (Trojan.FakeAV) -> Quarantined and deleted successfully.
    C:\Users\Chata ****up\AppData\Local\Temp\notepad.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
    C:\Users\Chata ****up\AppData\Local\Temp\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Users\Chata ****up\AppData\Local\Temp\iexplore.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\users\chata ****up\appdata\local\temp:winupd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\users\chata ****up\appdata\local\temp:winupd.exe (Trojan.Agent) -> Quarantined and deleted successfully.

    (end)
    \SysWow64\secur32.dll
    2011-11-17 05:28:48 96768 ----a-w- C:\windows\SysWow64\sspicli.dll
    2011-11-15 22:29:56 270720 ------w- C:\windows\System32\MpSigStub.exe
    2011-11-05 05:32:50 2048 ----a-w- C:\windows\System32\tzres.dll
    2011-11-05 04:26:03 2048 ----a-w- C:\windows\SysWow64\tzres.dll
    2011-11-04 01:53:39 2309120 ----a-w- C:\windows\System32\jscript9.dll
    2011-11-04 01:44:47 1390080 ----a-w- C:\windows\System32\wininet.dll
    2011-11-04 01:44:21 1493504 ----a-w- C:\windows\System32\inetcpl.cpl
    2011-11-04 01:34:43 2382848 ----a-w- C:\windows\System32\mshtml.tlb
    2011-11-03 22:47:42 1798144 ----a-w- C:\windows\SysWow64\jscript9.dll
    2011-11-03 22:40:21 1427456 ----a-w- C:\windows\SysWow64\inetcpl.cpl
    2011-11-03 22:39:47 1127424 ----a-w- C:\windows\SysWow64\wininet.dll
    2011-11-03 22:31:57 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb
    2011-10-26 05:21:20 43520 ----a-w- C:\windows\System32\csrsrv.dll
    2011-10-24 22:29:02 94208 ----a-w- C:\windows\SysWow64\QuickTimeVR.qtx
    2011-10-24 22:29:02 69632 ----a-w- C:\windows\SysWow64\QuickTime.qts
    .
    ============= FINISH: 2:05:57.88 ===============
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/4/2011 3:29:10 PM
    System Uptime: 1/18/2012 1:29:18 AM (1 hours ago)
    .
    Motherboard: Intel Corp. | | Base Board Product Name
    Processor: Intel(R) Core(TM) i5-2430M CPU @ 2.40GHz | CPU1 | 2401/1333mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 450 GiB total, 400.669 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP26: 1/7/2012 3:15:32 PM - Windows Update
    RP27: 1/11/2012 3:33:01 PM - Windows Update
    RP28: 1/11/2012 7:31:34 PM - Windows Update
    RP29: 1/12/2012 4:52:45 PM - Windows Update
    RP30: 1/12/2012 9:22:23 PM - Restore Operation
    RP31: 1/12/2012 9:43:35 PM - avast! Free Antivirus Setup
    RP32: 1/12/2012 9:45:52 PM - Windows Update
    RP33: 1/12/2012 9:46:24 PM - avast! Free Antivirus Setup
    RP34: 1/12/2012 9:50:08 PM - avast! Free Antivirus Setup
    RP35: 1/13/2012 3:00:12 AM - Windows Update
    RP36: 1/16/2012 5:55:09 PM - Windows Update
    RP37: 1/17/2012 9:32:06 PM - Installed SRS Audio Essentials.
    RP38: 1/17/2012 9:38:00 PM - Removed SRS Audio Essentials.
    .
    ==== Installed Programs ======================
    .
    µTorrent
    7-Zip 9.20
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Reader X (10.1.2) MUI
    Apple Application Support
    Apple Software Update
    Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
    avast! Free Antivirus
    Bejeweled 3
    Chuzzle Deluxe
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    D3DX10
    Fast Search
    FATE - The Traitor Soul
    Finding Nemo UWF
    Finding Nemo: Nemo's Underwater World of Fun
    Fishdom (TM) 2
    Google Chrome
    Google Talk (remove only)
    Google Talk Plugin
    Google Update Helper
    InstallIQ Updater
    Intel(R) Management Engine Components
    Intel(R) Processor Graphics
    Intel(R) Rapid Storage Technology
    Java Auto Updater
    Java(TM) 6 Update 25
    Junk Mail filter update
    Label@Once 1.0
    Malwarebytes Anti-Malware version 1.60.0.1800
    Mesh Runtime
    Microsoft Office 2010
    Microsoft Office Click-to-Run 2010
    Microsoft Office Starter 2010 - English
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    MSVCRT
    MSVCRT_amd64
    Netwaiting
    Pandora
    Penguins!
    Plants vs. Zombies - Game of the Year
    PlayReady PC Runtime x86
    Polar Bowler
    QuickTime
    Realtek USB 2.0 Reader Driver
    Realtek WLAN Driver
    Safari
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Skype Launcher
    Tixati
    Tom Clancy's Splinter Cell
    Toshiba App Place
    TOSHIBA Application Installer
    TOSHIBA Assist
    Toshiba Book Place
    TOSHIBA Bulletin Board
    TOSHIBA Face Recognition
    TOSHIBA Hardware Setup
    Toshiba Laptop Checkup
    TOSHIBA Media Controller
    TOSHIBA Media Controller Plug-in
    Toshiba Online Backup
    TOSHIBA Quality Application
    TOSHIBA Recovery Media Creator
    TOSHIBA ReelTime
    TOSHIBA Resolution+ Plug-in for Windows Media Player
    TOSHIBA Service Station
    TOSHIBA Sleep Utility
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    TOSHIBA Web Camera Application
    TOSHIBA Wireless LAN Indicator
    TOSHIBARegistration
    UnHackMe 5.99 release
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update Installer for WildTangent Games App
    Virtual Villagers 5 - New Believers
    WildTangent Games
    WildTangent Games App (Toshiba Games)
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Installer
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    YouTube Downloader 3.5
    Zuma's Revenge
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/18/2012 1:15:05 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    1/18/2012 1:15:05 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    1/18/2012 1:15:05 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    1/18/2012 1:15:03 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/18/2012 1:14:55 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    1/18/2012 1:14:43 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx aswSP aswTdi discache spldr Wanarpv6
    1/18/2012 1:14:39 AM, Error: Service Control Manager [7001] - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: The dependency service or group failed to start.
    1/17/2012 9:32:47 PM, Error: Service Control Manager [7030] - The SRS HDAudio Lab Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    1/17/2012 6:51:11 AM, Error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.6 with the system having network hardware address 20-4E-7F-B6-09-AC. Network operations on this system may be disrupted as a result.
    1/12/2012 9:38:20 PM, Error: Service Control Manager [7022] - The avast! Antivirus service hung on starting.
    1/12/2012 9:19:40 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    1/12/2012 9:19:39 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    1/12/2012 9:19:36 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    1/11/2012 4:25:00 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
    1/11/2012 4:25:00 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    .
    ==== End Of File ===========================
    Donovantriipp, Jan 18, 2012
    #1

  2. Bobbye Helper on the Fringe

    Welcome to TechSpot! I can help with the malware, but it appears you may be following directions given to another member.

    You have also left a part of a log here: (end) of Malwarebytes> next entry is \SysWow64\secur32.dll followed by several more entries ending with 2011-10-24 22:29:02 69632 ----a-w- C:\windows\SysWow64\QuickTime.qts. At the end is ============= FINISH: 2:05:57.88 ===============
    The may be a part from the other DDS log. So please find and paste in the entire DDS.txt log. I do not need the Attach.txt log again. The DDS.txt log has system entries that I can use to help you.
    =========================================
    Now, let's get you started off right: You may have done the five steps, but you ran the scans in Safe M/ode with Networking. That may be indicated in what I give you next, but it is not indicated for the Preliminary scans:

    To get the desktop icons and other 'missing' features back, please run the following:
    Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    Note: This will allow you to see those features that were 'missing', but it does not remove the malware itself. So it's important that you continue.[/b]
    ==============================================
    Have you lost the internet connection? If not, please run the following in Normal Mode. I'll have you go to Safe Mode with Networking after I see the additional logs.
    Note: If you cannot run Combofix, please come back and tell me what happens.

    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Expect these- they are normal:
    1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
    2. Before you run the Combofix scan, please disable any security software you have running.
    3. Combofix may need to reboot your computer more than once to do its job this is normal.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ===============================
    I'd like to check the Services. It appears that some aren't set correctly:

    Please download Farbar Service Scanner
    • Check Include all files option
    • Press the Scan button
    • Log named FSS.txt will be created in the same directory as the tool
    • Please paste the log into your next reply
    ====================================
    Did you run GMER? Log?
    ===================================================
    Please paste the logs into your next reply.
    ==================================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================.
    Bobbye, Jan 18, 2012
    #2
Thread Status:
Not open for further replies.